Published:2016/04/06 Last Updated:2016/04/07
JVN#26627848
baserCMS plugin "Menubook Plugin" multiple vulnerabilities
Overview
baserCMS plugin "Menubook Plugin" contains multiple vulnerabilities.
Products Affected
- Menubook Plugin Ver.0.9.2 and earlier
Description
baserCMS plugin "Menubook Plugin" contains multiple vulnerabilities:
- Cross-site scripting (CWE-79) - CVE-2016-1169
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - Cross-site request forgery (CWE-352) - CVE-2016-1170
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
The affect of each vulnerability is as follows.
- An arbitrary script may be executed on the user's web browser - CVE-2016-1169
- An arbitrary administrative operation such as setting alteration may be performed - CVE-2016-1170
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
Vendor | Link |
Hiniarata Co.,Ltd. | Important notice for our plugin products users |
References
JPCERT/CC Addendum
According to the information provided by the developer, these vulnerabilities were addressed in the following products:
- baserCMS plugin "Recruit Plugin" Ver.0.9.2 and earlier
- baserCMS plugin "Casebook Plugin" Ver.0.9.3 and earlier
- baserCMS plugin "Schedule Plugin" Ver.0.9.5 and earlier
- baserCMS plugin "Menubook Plugin" Ver.0.9.2 and earlier
- baserCMS plugin "Cast Plugin" Ver.0.9.2 and earlier
- baserCMS plugin "Voice Plugin" Ver.0.9.6 and earlier
Vulnerability Analysis by JPCERT/CC
Credit
Takaesu Isao of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2016-1169 |
CVE-2016-1170 |
|
JVN iPedia |
JVNDB-2016-000042 |
JVNDB-2016-000043 |
Update History
- 2016/04/07
- CVE identifiers were re-assigned and a note in the "JPCERT/CC Addendum" has been added.